diff --git a/doc/EasyRSA-Advanced.md b/doc/EasyRSA-Advanced.md
index 5aca35d..f9c818b 100644
--- a/doc/EasyRSA-Advanced.md
+++ b/doc/EasyRSA-Advanced.md
@@ -120,5 +120,8 @@ possible terse description is shown below:
     password using any openssl password options like pass:1234 or env:var
  *  `EASYRSA_PASSOUT` (CLI: `--passout`) - allows to specify a source for
     password using any openssl password options like pass:1234 or env:var
+ *  `EASYRSA_UMASK` - safe umask to use for file creation. Defaults to `077`
+ *  `EASYRSA_NO_UMASK` - disable safe umask. Files will be created using the
+    system's default
 
 **NOTE:** the global options need to be provided before the actual commands.
diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa
index 617ed6f..6b05c7a 100755
--- a/easyrsa3/easyrsa
+++ b/easyrsa3/easyrsa
@@ -2488,7 +2488,7 @@ NL='
 '
 
 # Be secure with a restrictive umask
-[ -z "$EASYRSA_NO_UMASK" ] && umask 077
+[ -z "$EASYRSA_NO_UMASK" ] && umask ${EASYRSA_UMASK:-077}
 
 # Parse options
 while :; do